GDPR and the Blockchain: An Irresistible Force Meets an Immutable Object

Blockchain technology presents very exciting and impactful opportunities to transform higher education, but its potential to move the industry forward is threatened by GDPR policy. It’s critical to find a way for these two seemingly opposing forces to complement one-another.I am not a lawyer, nor do I play one on TV. But I am a person who has spent the last 25 years studying the interplay of technology and education. Generally speaking, over that time educational uses of technology have been playing catch up with the technology itself. That is, rarely have educational needs driven the development of a technology. Instead, educators have almost always taken a technology and tried to adapt it to suit some educational end. Occasionally these adaptations work well, and we are able to do something new with a technology that we couldn’t easily do without it (for example, using MOOC platforms to create affordable degrees at scale). More often, though, we use the technology to try to replicate something that we already do well without it, or perhaps shouldn’t be replicating at all (for example, using MOOC platforms to propagate the poor pedagogy of a lecture).

Once in a while, though perhaps with increasing frequency, technologies come along that have the potential to disrupt our educational ecosystems: Computing and the internet come to mind as good examples. These enabling technologies arrived rife with potential, and though it took a while, particularly in the case of computing, for them to make an impact, when it happened that impact was huge and ongoing. To be sure, these technologies also had an enormous impact on most other aspects of society, but education has been notoriously resistant to systemic change for a long time. Chris Dede once testified before congress that “if all computers and telecommunications were to disappear tomorrow, education would be the least affected of society’s institutions.” Although things are better now, that may still be true today.

Which is why, when a new technology with the potential to significantly improve education is introduced, we would do well to examine it closely and give it every opportunity to succeed. Blockchain may be one such technology. Blockchain is, at its core, an immutable distributed ledger. It is a largely unalterable record of transactions between two or more parties. It stores data in a vast network of connected computers, each of which holds a complete copy of the encrypted data and every change that has ever been made to it. This combination makes blockchain, at least as of this writing, virtually impossible to alter or hack. Blockchain uses public key cryptography, which guarantees that only the sender of a message and the intended recipient can view the message. Blockchain has additional features, such as smart contracts, that add to its value, but for purposes of this discussion let’s just focus on the ledger aspect. It is this capability that makes the technology useful for a wide variety of applications, the most notable of which is cryptocurrency. Cryptocurrencies (of which Bitcoin is the best known) use blockchain to record and verify financial transactions between two entities, without the need for a third party, such as a bank or government, to intervene.

The same secure, peer-to-peer, unalterable aspects of blockchain that make it well suited to financial transactions also make it well suited to a variety of other uses. There are large ongoing projects using blockchain for medical records, voting, and, of relevance here, academic credentials. Blockchain enables education institutions to offer a new set of products and services to their learners. It allows for essentially unlimited granularity in defining and recording student knowledge, skills, attitudes and abilities. Whenever a learner completes some educational objective, be it a degree, a course, a unit or objective, an institution can add a link to the blockchain, recording that accomplishment. Learners can group those achievements in ways of their own choosing and share parts or all of them with interested parties, such as potential employers or graduate schools. Those interested parties can then easily and immediately verify that the student actually does possess those capabilities. Even if the institution goes out of business, as happens all too often in conflict zones, the record of the learners’ achievements will always remain on the blockchain.

And therein lies the rub. By now we are too familiar with regulation failing to keep up with the exponential pace of technological change. Recall, if you were around then, the U.S. patent on multimedia granted to Compton’s in 1993. Compton’s sought to impose a one percent royalty on anyone combining pictures, text, graphics and sound in an easily retrievable fashion. Clearly the patent office didn’t yet understand multimedia, its history, or implications. Fortunately the patent was invalidated the next year. We see the same kind of thing happening now with self-driving cars, or with biotechnologies such as CRISPR. Legislation is scrambling to keep up, or in the case of the General Data Protection Regulation (GDPR), perhaps surging ahead without fully exploring the consequences on new and evolving technologies.

Here comes the “I am not a lawyer” part. GDPR, in case you haven’t looked at email or visited a website in the last few months, is the European Union’s regulation governing data privacy that went into effect May 25th. It is a well meaning attempt to guarantee the protection of data and right to privacy for all “natural” persons in the European Union. (“Natural” in this case means that corporations are not counted as persons.) It doesn’t just apply to people living in the EU; it applies to people who are in the EU at the time they interact with an online service. This means that virtually everyone who offers online educational programs is, or could be, subject to GDPR. There are several portions of the GDPR that have implications for blockchain, but one in particular is easy to understand and serves to highlight the kind of problems that can arise. Article 17 of the GDPR is the “right to be forgotten.” Simplified, it states that a person can have their data erased under certain conditions. But by definition, the blockchain is immutable; data cannot be erased. And here we have the horns of a dilemma. GDPR requires the ability to erase some data; data on the blockchain cannot be erased. This incompatibility alone (and there are several others) could prevent blockchain from being used as long as the GDPR is in effect.

The fundamental issue is that the GDPR was crafted to address the centralized storage of data, and the blockchain is a decentralized system. One hopes that in time reason, logic, and advances in technology will resolve the many incompatibilities, but one also notes that on the first day that the GDPR went into effect $8.8 billion in lawsuits were filed against Facebook and Google. The GDPR is a complicated document, with 99 articles and 173 recitals. There are also many variants of blockchain technology, each presenting different considerations with respect to the GDPR. It will take quite some time to work out all the bugs in each and find a way for them to complement each other.

Let’s hope that the race between legislation and technology doesn’t accidentally eliminate a potential education innovation before it has even gotten started.

– – – –

N.B.

For an excellent and detailed analysis of the implications of the GDPR for blockchain, see Michèle Finck’s Blockchains and Data Protection in the European Union, Max Planck Institute for Innovation and Competition Research Paper No. 18-01 Available at https://ssrn.com/abstract=3080322.

– – – –

References

Dede, C. (1995). Testimony to the U.S. Congress, House of Representatives. Joint Hearing on Educational Technology in the 21st Century, Committee on Science and Committee on Economic and Educational Opportunities. pp. 1582